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Abstract 

The impossibility proof on unconditionally secure quantum bit 
commitment is critically reviewed. Different ways of obtaining secure 
protocols are indicated. 



NOTE: This article is going to appear in the 2002 QCMC Proceedings, and 
is based on |quant-ph / 0207089| . It contains a concise summary of several gaps 
in the QBC impossibility proof, and a brief description of an unconditionally 
secure protocol QBCl. Of all the QBC protocols I have been presenting 
so far with various claims, I will in the not-too-distant future elaborate on 
which ones are secure as they are, which ones can be modified to be secure, 
which ones (such as QBC4) are essentially insecure, and which ones have 
undecided security status. This should clarify and correct any ambiguous or 
erroneous statements concerning these protocols. 
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1 Introduction 



There is a nearly universal acceptance of the general impossibility^ □ of 




secure quantum bit commitment (QBC), taken to be a consequence of the 
Einstein-Podolsky-Rosen (EPR) type entanglement cheating which rules out 
QBC and other quantum protocols that have been proposed for various cryp- 
tographic objectives. Since there is no characterization of all possible QBC 
protocols, logically there can be no general impossibility proof as maintained 
to this date. In this article, which is based on Ref. ||, we explain the nature 
of various gaps and incompleteness in the impossibility proof, in addition 
to this a priori logical point. They should make clear the fact that there is 
no impossibility theorem even in the absence of a specific protocol that has 
been proved unconditionally secure. But we also describe an unconditionally 
secure protocol QBC1 and other possible approaches for obtaining secure 
protocols. 

2 The impossibility proof 

The essential ideas that constitute the impossibility proof are generally agreed 
upon.E~il Adam and Babe have available to them two-way quantum commu- 
nications that terminate in a finite number of exchanges, during which either 
party can perform any operation allowed by the laws of quantum physics. 
During these exchanges, Adam would have committed a bit with associated 
evidence to Babe. It is argued that, at the end of the commitment phase, 
there is an entangled pure state |$b), b G {0,1}, shared between Adam 
who possesses state space TC A , and Babe who possesses TC B . For example, 
if Adam sends Babe one of M possible states {|0bi)} for bit b with prob- 
ability pu, then |$b) = J2i \/Pbi\ e i) |0bi) with orthonormal |ej) G TC A and 
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given \(f>bi) G Ti B . Adam would open by making a measurement on 7i A , say 
{|e;)}, communicating to Babe his result io and b; then Babe would verify 
by measuring |0bi o )(0bi o | on r H. B ■, accepting as correct only the result 1. 

Generally, Babe can try to identify the bit from p B , the marginal state of 
|$b) on 7~L B , by performing an optimal quantum measurement that yields the 
optimal cheating probability P B for her. Adam cheats by committing |$ ) 
and making a measurement on Ti. A to open i and b = 1. His probability of 
successful cheating is computed through |$t>) ; his particular measurement, 
and Babe's verifying measurement; the one optimized over all of his possible 
actions will be denoted P A . For a fixed measurement basis, Adam's cheating 
can be described by a unitary operator U A on TC A . When p B = pf, i.e., 
P B = 1/2, U A is obtained via the Schmidt decomposition of |$b)- For un- 
conditional, rather than perfect, security, one demands that both cheating 
probabilities P B — 1/2 and P A can be made arbitarily small when a secu- 
rity parameter n is increased.0 Thus, unconditional security is quantitatively 
expressed as 

(US) lirnPf=-, limP c A = 0. (1) 

n 2 n 

This condition ([I]) says that, for any e > 0, there exists an uq such that for 
all n > no, P B — 1/2 < e and P A < e, to which we refer as e-concealing 
and e- binding. These cheating probabilities are to be computed purely on 
the basis of physical laws, and thus would survive any change in technology, 
including any increase in computational power. One can write down explicitly 
P B = j (2 + || — pf ||i). The corresponding P A satisfies:0 

4(1 - Pf ) 2 < P A < 2y/p*(l-P*). (2) 

The lower bound in (0) yields the impossibility proof 0' 

(IP) limPf = - =^ limP c A = 1 (3) 

n 2 n 
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When random numbers known only to one party are used in the commit- 
ment, they are to be replaced by corresponding entanglement purification. 
For a random k, it is argued from the doctrine of the "Church of the Larger 
Hilbert Space"@ that it is to be replaced by the purification in 7i Bl ®7i B ' 2 , 

l^) = Ev / ^l^)IA), (4) 

k 

where the |/fc)'s are complete orthonormal in Ti, 32 kept by Babe while 7i Bl 
would be sent to Adam. Similar purification is to be used for performing 
any operation during commitment that might otherwise require an actual 
measurement. As a consequence, it is claimed that a shared state |$b) at the 
end of commitment is known to both parties. 

It appears that there are many incompleteness in the impossibility proof. 
For example, one may observe that the cheating probability depends on 
Babe's verifying measurement. For an arbitrary protocol, the impossibility 
proof formulation does not, and in fact, cannot specify what the possible 
verifying measurements could be. There is no proof given that there cannot 
be more than one verifying measurement for which different cheating trans- 
formations are needed. When such a situation occurs, Adam may not know 
which one to use for a successful cheating. Even though this gap can be 
closed, in a proof that is not totally obvious, it is indicative of the incom- 
pleteness of the impossibility proof. The followin situations show that the 
impossibility proof formulation is actually widely incomplete. A protocol may 
involve cheating detection during commitment with corresponding possibility 
of aborting the protocol, a situation different from cheat-sensitive protocols^. 
It has to be decided what would happen when cheating is detected, say in a 
game-theoretic formulation. It makes no sense to keep trying until one party's 
cheating is not detected; some limit on the number of detected cheats must 
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be imposed. Assuming both parties are honest not trying to cheat, which 
is what the impossibility proof formulation does except for Adam to form 
entanglement instead of sending one |0bi)> a l so makes no sense because there 
would then be no need for a protocol. (Actually, the \<p\J) entanglement step 
is often mistakenly described as an honest one.) These possibilities have not 
been accounted for. In the discussions of a proper framework for QBC pro- 
tocols in Ref. ||, we have codified some intuitively valid rules for protocol 
formation under the names Intent Principle and Libertarian Principle. In 
the following, we will discuss several of the many gaps in the impossibility 
proof. 

3 No impossibility theorem without QBC def- 
inition 

A plausible first reaction to the impossibility proof is: why are all possible 
QBC protocols covered by its formulation? More precisely, how may one 
define the necessary feature of an unconditionally secure QBC protocol that 
is required for any proof of a mathematical theorem that says such protocol 
is impossible? No such definition is available. The situation is similar to the 
lack of a definition of an "effectively computable" function in the context 
of the Church- Turing thesis. Nobody calls the Church- Turing thesis the 
Church- Turing theorem. This is because there is no mathematical definition 
of an effectively computable function. The logical possibility is open that 
someday a procedure may be found that is intuitively or even physically 
effective, but which can compute a nonrecursive arithmetical function. 

Thus in the absence of a precise definition of a QBC protocol, one would 
have at best an "impossibility thesis", not an impossibility theorem. (This 
view was emphasized to the author by Masanao Ozawa.) Just as there appear 
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to be many different forms of effective procedures, there are many different 
QBC protocol types@ that appear not to be captured by the impossibility 
proof formulation. To uphold just an "impossibility thesis", one would need 
to prove that unconditionally secure QBC is impossible in each of these types. 

4 Unknown versus random parameter 

The impossibility proof regards any unknown number to one party as a ran- 
dom variable with a known probability distribution, from which the purifica- 
tion ([D may be formed. However, as it is well-known in classical statistics, 
not every unknown parameter is a random variable. In the present situation, 
there is an infinite number of open possibilities, such as the number of states 
and operations available, that admits no uniform probability distribution or 
actual entanglement for the purpose of EPR cheats. Furthermore, there is 
simply no ensemble here for the unknown parameter to be averaged over. 
In an analogous situation in the quantum information literature, this error 
has been recently called the "Partition Ensemble Fallacy Fallacy"!!. More 
significantly, there is no need for Adam to know the probability under 
concealing for every {A^}. The proper approach is to regard the state |^) of 
d^) as an unknown "parameter" in an infinite space. The other party does 
not need to know it, or to know its probability distribution even if it has one, 
because of the following Secrecy Principle which is a corollary of the Intent 
Principle and Libertarian Principle. 

Secrecy Principle: A party does not need to reveal a secret parameter 
chosen by her in whatever manner if it does not affect the security of 
the other party, who cannot reject the protocol on such a basis. 
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Thus, generation of the secret parameter can be automatized by one party, 
and it can be kept secret just as Adam can keep his bit b secret or a secret 
key can be kept secret in standard cryptography 

Indeed, with the use of (f|) by Babe, it is not sufficient for concealing 
to assume that one fixed \^) is used by her as done in the impossibility 
proof. Two examples are given in Ref. ||, which show that Babe can cheat 
by using another or |\&) than the one prescribed, and nothing in the 
impossibility proof formulation prevents her from doing that. If one imposes 
the condition that the protocol is e-concealing for every possible choice of \^), 
then there is no impossibility proof until one shows that there is a cheating 
transformation for Adam which will work for every possible In the case 
of perfect concealing, this has been provecfl for a single use of (f|) by Babe. 
The corresponding e-concealing case is yet to be resolved. See the article by 
G. M. D'Ariano in this volume for a quantitative discussion. 

Note that the Secrecy Principle directly contradicts the claim that a pure 
|$b) is openly known at the end of commitment. One consequence is that 
because Babe does not know {pbi}, the usual specification of the concealing 
condition is a sufficient but not necessary one needed for a general impossi- 
bility proof. Furthermore, one has to show that whatever information Adam 
lacks on |$b), such as the \ft) of is not needed for his cheating. Observe 
also that (|j) is not equivalent to the mere generation of \ipk) with probabil- 
ity Afc, due to the presence of off-diagonal terms \fk)(fk'\- Such purification 
has to be considered because of possible entanglement cheating, not because 
of the Church of the Larger Hilbert Space. Indeed, entanglement may help 
determine the bit through such terms, as the example in the next section 
shows. Even with the Church, the two cases are not equivalent. 
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5 Shifting of the evidence state space 



Even when a pure |$t>) is openly known, the impossibility proof does not 
cover the situations in which opening and verification are more elaborate, 
involving component parts of TC A and 7i B . In particular, consider a protocol 
in which Babe forms (f|) and sends Adam H Bl , with \ipk) = \ipki) \1pk2) in 
H Bl = H Bl1 (g> H Bl2 . Adam randomly switches the state in H Bl1 to be that 
of iV'fci) or \1pk2) by the unitary perumation P m , m G {1,2}, modulates the 
resulting state in 7i Bl1 by a single U\, for each b, and sends it to Babe. He 
opens by revealing b, his random permuation P m , and returning 7i Bl2 . Babe 
verifies by testing the apropriate states in 7i Bl1 for checking b, and 7i Bl2 for 
checking that there is no change. It is possible that the protocol is both 
concealing and binding for the following reason. For the final committed 
state |$b) with Adam entangling the P m with | e^) G 7i Al , we have Ti A = 
H Al ® H Bl2 and H B = H Bl1 <g> H B * 2 . Thus, p B can be close to pf because 
7i Bl2 is not available to Babe for her cheating. However, only TC Al , and 
not H A , is avaiable to Adam's cheating, so he cannot apply the required 
cheating U A without being found cheating with a nonvanishing probability. 
Using the upper bound in @ the security condition can be expressed as 
p B (H Bl2 ®H B2 )~ pf(H Bl2 (8) H B2 ) and p B {H Bl ® H B2 ) <fi pf(H Bl ®H B2 ). 
To preserve the impossibility proof one would need to show that, in addition 
to (D, \im n P B (H Bl2 ®H B2 ) = \ \im n P B (H Bl ®H B2 ) = \. Clearly, this 
has not been proved. 

As an example, consider the case H Bl = H Bl1 <8> H Bl2 ® H BrA ® H Bl4 of 
four qubits, with {|^>} = {|1>|2>|3>|4>, |4)|1)|2)|3), |3)|4)|1)|2), |2)|3)|4)|1)}, 
where {|1), |2), |3), |4)} are, e.g., a fixed set So of four possible BB84 states 
on a given great circle of a qubit. Adam permutes each by one of four 
possible P m , and returns the first qubit to Babe unchanged for b = 0, while 
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shifted by it in the great circie for b = 1. Assume first that Babe either did not 
entangle, or cannot use her entanglement in 7i B2 . Then p^i^k) — pf n ("0fe) 
for all k, and no entanglement of permutations would produce a rotation on 
the first qubit while not disturbing the others. Thus, Adam cannot cheat 
perfectly and has a fixed P C A for this protocol which is not arbitrarily close to 
one, even though it is perfectly concealing. If one can find a case in which the 
protocol remains perfectly concealing with entanglement by Babe, which is 
not the case in this example, (IP) of @ would be contradicted, and the case 
can be extended to become an unconditionally secure protocol by repeating 
it in a sequence. Such a case can indeed be found in this kind of protocols 
which we call Type 2. 

6 Protocol QBC1 

If carried out honestly, this protocol is conceptually simple and works as 
follows. @ Adam sends Babe n qubits with states selected randomly and inde- 
pendently from Sq. Babe then picks randomly one of these qubits and sends 
it back to Adam, who would leave it unchanged or shift it by ir, depending 
on whether b = or 1, and commit it as evidence. He opens by revealing b 
and all the qubit states, and Babe verifies by corresponding measurements. 

We assume that no cheating by either party, other than entanglement, 
occurs during commitment as in the impossibility proof formulation, say, 
under heavy penalty in a game-theoretic formulation where state checking is 
done by both parties. Thus the protocol is perfectly concealing. There are 
many ways for Babe to randomly pick one of the n qubits, say by permutation 
into a fixed qubit among the n ones, or into a separate fixed qubit, each with 
its own purification. If Adam knows which particular way Babe chooses, it 
can be shown that he can cheat successfully. However, his success depends 



9 



crucially on this knowledge, and no further entanglement purification by 
Babe is possible over these different ways that would allow her to send back a 
single qubit to Adam for bit modulation. While the situation here has some 
similarity to our Type 3 protocols,!!, it is one that cannot be completely 
purified even with a known probability distribution, and the impossibility 
proof does not apply. Thus, the protocol becomes e-binding for large n. A 
full security proof of this protocol and detailed treatment of Type 2 protocols 
will be presented elsewhere. 
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